P
US10021132B2ActiveUtilityPatentIndex 73

Limiting the efficacy of a denial of service attack by increasing client resource demands

Assignee: JUNIPER NETWORKS INCPriority: Sep 30, 2013Filed: Jul 3, 2017Granted: Jul 10, 2018
Est. expirySep 30, 2033(~7.2 yrs left)· nominal 20-yr term from priority
Inventors:ADAMS KYLEQUINLAN DANIEL J
H04L 63/1425H04L 63/1441H04L 63/1458H04L 67/303G06F 2221/2103H04L 2463/144H04L 47/808H04L 2463/141H04L 63/10H04L 67/42
73
PatentIndex Score
3
Cited by
34
References
20
Claims

Abstract

A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A device, comprising:
 a memory; and 
 one or more processors to:
 receive a plurality of requests, for access to a resource, from a plurality of client devices; 
 determine, based on the plurality of requests and based on detection of a denial-of-service attack, a computationally expensive problem; 
 determine a percentage of the plurality of client devices to which to provide the computationally expensive problem based on one or more of a denial-of-service metric or information associated with the plurality of requests; 
 determine, based on the percentage, a set of client devices, of the plurality of client devices, to which to provide the computationally expensive problem,
 a quantity of client devices in the set of client devices being less than a quantity of client devices in the plurality of client devices; 
 
 provide the computationally expensive problem to each client device of the set of client devices,
 the computationally expensive problem causing each client device, of the set of client devices, to solve the computationally expensive problem; 
 
 receive, from each client device of the set of client devices, a solution to the computationally expensive problem; and 
 selectively grant or deny each client device, of the set of client devices, access to the resource based on whether the solution to the computationally expensive problem, received from each client device of the set of client devices, is correct. 
 
 
     
     
       2. The device of  claim 1 , where:
 each client device is granted access to the resource when the solution is correct, and 
 when the solution is incorrect, each client device is denied access to the resource, and is provided an additional computationally expensive problem. 
 
     
     
       3. The device of  claim 1 , where the one or more processors are further to:
 determine a difficulty level for the computationally expensive problem. 
 
     
     
       4. The device of  claim 3 , where the difficulty level includes a value that represents a level of difficulty, on a difficulty scale, for the computationally expensive problem. 
     
     
       5. The device of  claim 3 , where, when determining the difficulty level for the computationally expensive problem, the one or more processors are to:
 determine the difficulty level for the computationally expensive problem based on at least one of:
 the denial-of-service metric, 
 request categories for requests, of the plurality of requests, associated with the set of client devices, 
 profiles associated with the set of client devices, 
 request histories associated with the set of client devices, or 
 probabilities that the requests, associated with the set of client devices, are suspicious or malicious. 
 
 
     
     
       6. The device of  claim 1 , where the one or more processors are further to:
 process the solution by at least one of:
 comparing the solution to a stored value; or 
 performing a calculation using the solution; and 
 
 selectively grant or deny each client device, of the set of client devices, access to the resource based on processing the solution. 
 
     
     
       7. The device of  claim 1 , where the one or more processors are further to:
 detect the denial-of-service attack based on at least one of:
 a traffic measurement, 
 a response time measurement, or 
 a latency measurement. 
 
 
     
     
       8. A non-transitory computer-readable storage medium storing instructions, the instructions comprising:
 one or more instructions that, when executed by one or more processors, cause the one or more processors to:
 receive a plurality of requests, for access to a resource, from a plurality of client devices; 
 determine, based on the plurality of requests and based on detection of a denial-of-service attack, a computationally expensive problem; 
 determine a percentage of the plurality of client devices to which to provide the computationally expensive problem based on one or more of a denial-of-service metric or information associated with the plurality of requests; 
 determine, based on the percentage, a set of client devices, of the plurality of client devices, to which to provide the computationally expensive problem,
 a quantity of client devices in the set of client devices being less than a quantity of client devices in the plurality of client devices; 
 
 provide the computationally expensive problem to each client device of the set of client devices,
 the computationally expensive problem causing each client device, of the set of client devices, to solve the computationally expensive problem; 
 
 receive, from each client device of the set of client devices, a solution to the computationally expensive problem; and 
 selectively grant or deny each client device, of the set of client devices, access to the resource based on whether the solution to the computationally expensive problem, received from each client device of the set of client devices, is correct. 
 
 
     
     
       9. The non-transitory computer-readable storage medium of  claim 8 , where:
 each client device is granted access to the resource when the solution is correct, and 
 when the solution is incorrect, each client device is denied access to the resource, and is provided an additional computationally expensive problem. 
 
     
     
       10. The non-transitory computer-readable storage medium of  claim 8 , where the instructions further comprise:
 one or more instructions that, when executed by the one or more processors, cause the one or more processors to:
 determine a difficulty level for the computationally expensive problem. 
 
 
     
     
       11. The non-transitory computer-readable storage medium of  claim 10 , where the difficulty level includes a value that represents a level of difficulty, on a difficulty scale, for the computationally expensive problem. 
     
     
       12. The non-transitory computer-readable storage medium of  claim 8 , where the instructions further comprise:
 one or more instructions that, when executed by the one or more processors, cause the one or more processors to:
 determine a difficulty level for the computationally expensive problem based on at least one of:
 the denial-of-service metric, 
 request categories for requests, of the plurality of requests, associated with the set of client devices, 
 profiles associated with the set of client devices, 
 request histories associated with the set of client devices, or 
 probabilities that the requests, associated with the set of client devices, are suspicious or malicious. 
 
 
 
     
     
       13. The non-transitory computer-readable storage medium of  claim 8 , where the instructions further comprise:
 one or more instructions that, when executed by the one or more processors, cause the one or more processors to:
 process the solution by at least one of:
 comparing the solution to a stored value; or 
 performing a calculation using the solution; and 
 
 selectively grant or deny each client device, of the set of client devices, access to the resource based on processing the solution. 
 
 
     
     
       14. The non-transitory computer-readable storage medium of  claim 8 , where the instructions further comprise:
 one or more instructions that, when executed by the one or more processors, cause the one or more processors to:
 detect the denial-of-service attack based on at least one of:
 a traffic measurement, 
 a response time measurement, or 
 a latency measurement. 
 
 
 
     
     
       15. A method, comprising:
 receiving, by a security device, a plurality of requests, for access to a resource, from a plurality of client devices; 
 determining, by the security device based on the plurality of requests and based on detection of a denial-of-service attack, a computationally expensive problem; 
 determining, by the security device, a percentage of the plurality of client devices to which to provide the computationally expensive problem based on one or more of a denial-of-service metric or information associated with the plurality of requests; 
 determining, by the security device and based on the percentage, a set of client devices, of the plurality of client devices, to which to provide the computationally expensive problem,
 a quantity of client devices in the set of client devices being less than a quantity of client devices in the plurality of client devices; 
 
 providing, by the security device, the computationally expensive problem to each client device of the set of client devices,
 the computationally expensive problem causing each client device, of the set of client devices, to solve the computationally expensive problem; 
 
 receiving, by the security device and from each client device of the set of client devices, a solution to the computationally expensive problem; and 
 selectively granting or denying, by the security device, each client device, of the set of client devices, access to the resource based on whether the solution to the computationally expensive problem, received from each client device of the set of client devices, is correct. 
 
     
     
       16. The method of  claim 15 , where:
 each client device is granted access to the resource when the solution is correct, and 
 when the solution is incorrect, each client device is denied access to the resource, and is provided an additional computationally expensive problem. 
 
     
     
       17. The method of  claim 15 , further comprising:
 determining a difficulty level for the computationally expensive problem. 
 
     
     
       18. The method of  claim 17 , where the difficulty level includes a value that represents a level of difficulty, on a difficulty scale, for the computationally expensive problem. 
     
     
       19. The method of  claim 17 , where determining the difficulty level for the computationally expensive problem comprises:
 determining the difficulty level for the computationally expensive problem based on at least one of:
 the denial-of-service metric, 
 request categories for requests, of the plurality of requests, associated with the set of client devices, 
 profiles associated with the set of client devices, 
 request histories associated with the set of client devices, or 
 probabilities that the requests, associated with the set of client devices, are suspicious or malicious. 
 
 
     
     
       20. The method of  claim 15 , further comprising:
 processing the solution by at least one of:
 comparing the solution to a stored value; or 
 performing a calculation using the solution; and 
 
 selectively granting or denying each client device, of the set of client devices, access to the resource based on processing the solution.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.